Hacking the Square

January 4, 2012

For Christmas, I received a cool little device called the square from Ed Park. You plug this device into the audio mini jack on your smartphone and you can swipe credit cards right on your phone. It’s perfect for people doing business on the go. Or… next time your buddy owes you money, the “I don’t have any cash on me right now” excuse won’t work.

The first strange thing I noticed was that the data was being inputed via the audio jack rather than the data port (located at the bottom of the iphone). There are 3 types of audio mini jacks: Mono, stereo, stereo/microphone. Since the iphone audio jack accepts corded hands-free earpieces as well as earphones for music, it has to be the combo jack (stereo/microphone).

If you look at the tip, you’ll notice there are four sections separated by insulated plastic rings.

This type of plug is known as the “TRRS”. T-R-R-S stands for Tip-Ring-Ring-Sleeve. The tip is for Left-channel audio out. The first ring is for Right-channel audio out. The second ring is Ground. The sleeve is for Microphone in. What I would like to know is how the square transmits your credit card number into the software through the audio port. Now, before wiring each terminal up to an arduino and outputting data to serial, since input is only possible through the sleeve (microphone terminal), maybe we can find out if the data is actually audible! By simply plugging it into a computer mic in port or firing the voice recorder app on the iphone, we can find out what our credit cards sound like.

Interesting. So if I just recorded the swipe of each of my credit cards, I can technically store credit card numbers as wav files and play them directly into the square software. I was inspecting each of my credit card wav files and tried to notice some kind of pattern that matched the pattern of my credit card numbers. I didn’t think that was going to be successful, but it was worth a shot.

I then decided to rig the square swiper up to my arduino and display output to serial. Here is the arduino code:

I chose an analog input because that audio minijack is analog. I know what each section in the TRRS specs do, but does it need power? Do I need to connect the ground? Do I need to power it through both left and right channels? I wasn’t sure, so I decided to simply try different combinations.

When I connect the ground, I get a bunch of ‘O’s. When I swipe the credit card, I get a few numbers… but not nearly enough to carry the data I’m assuming the stripe holds. When I disconnect ground I notice something interesting.

Now I’m still not sure if I’m on the right track because I expected a bunch of 1’s and 0’s…. but I noticed a pattern in the numbers. The numbers are grouped in 4’s. Every four numbers, the pattern repeats itself.

It makes perfect sense. I’m going to assume the credit card stripe MUST be carrying 4 rows of data… thus 4 different reads from the swiper. So I tried swiping my credit card to investigate the reads. (I’m not posting the output from my credit card here…. but I’ll post the output from when I swiped my Disneyland Annual Passport!)

I’m gonna go ahead and assume the data isn’t encrypted (at this level at least. I’m pretty certain it’s encrypted at the software level)… so it’s just a matter of deobfuscating it. Unfortunately for me, I was staring closely at the output and I started getting sleepy. Hmmm. I’m not sure if I’m on the right track or not… so feel free to chime in if you have any ideas. I shall come back to this later.

Advertisements

Share this:

Like this:

Related

apparently the square simply transmits the data through the audio jack unencrypted, and then decoded via software? dood, that is some seriously flawed design in terms of security. that means any malicious app can turn the Square into a skimmer with no hacking or modding necessary. there is no way in hell anybody in their right mind would actually pay anybody using on of these things, not me at least. not unless you come up with some anti-skimming tin foil card protection. that would be awesome.

What did the .wav sound like when you played it? Check out the frequency spectrum in Sonic Visualiser (sonicvisualiser.org). I bet you’ll see a pattern. Maybe it’s simple like DTMF?

Also, when connecting the Square’s sleeve to your Arduino, you’re definitely going to want to connect a common ground (2nd ring) – otherwise you’re just reading noise. The Arduino’s analog input is a 10-bit ADC, so it will give you a value between 0 – 1023. That value is proportional to the voltage on the sleeve at the time of sampling.

Your code samples the voltage of the Square’s output every 50ms (20Hz). To have a shot at programming your Arduino to decode the output you’re need a sample rate of at least 8KHz. I’d stick to your box’s sound card.

Thank you Josh! What you said makes total sense. While rigging this up, I added the 50ms delay temporarily during analysis. But you are right. Even with 0 delay, it wouldn’t even suffice for an 8KHz sample rate.
Looking at the .wav file after checking out the phrack article on credit card skimmers, it all makes sense!http://krebsonsecurity.com/2010/11/crooks-rock-audio-based-atm-skimmers/
It all interprets into binary data based on the kind of wave! I have not revisited this, but I certainly would like to at some point.

Check the .wav to get an idea of bit times for a swipe. I bet they’re long enough that you could decode it on the Arduino. I’d try using an opamp wired up as a zero crossing detector and sample that on a digital input pin.

I would bet that the output is just the raw magnetic flux from the head. This will represent the north-south coding of the magnetic flux transitions on the swipe. To test the hypothesis – it’s quite simple – you should get a shorter data “burst” on the audio if you swipe the card faster. In fact, if you sample at a high enough sample rate, and you swipe fast enough, the data should be “above” DC so much that you should get a good “square wave” representation in an audio editor as opposed to a sloping square wave (due to the limitations of the filter capacitor preventing the DC portion of the signal from passing in your sound card).

With that, if you “slice” the signal around the mid-point, you can probably use the durations in between mid-point crossings to get your data.